ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to Implement External Security for Datacom - Defining the System Resource Class?

book

Article ID: 51404

calendar_today

Updated On:

Products

Datacom DATACOM - AD Ideal CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services Datacom/AD CA ecoMeter Server Component FOC EASYTRIEVE REPORT GENERATOR FOR COMMON SERVICES INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA On Demand Portal CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware

Issue/Introduction

Description:

This article briefly discusses what you need to define to turn on external security, when to do it, and how to code the level of security used for each Datacom system at your site.

Solution:

You will have to set up the System Resource Class, DTSYSTEM (or [email protected] in RACF) in either CA ACF2, CA TopSecret, or IBM's RACF. This resource class is the key to turning on external security for Datacom products, features and data. It is identified by the internal CXX name. To determine the internal CXX name, review the Datacom started task JESLOG message - DB00201I MULTI-USER ENABLED CXX=cxxname. DTSYSTEM is used for level checking and identifies the product, feature, table or view being protected. This resource class should be the LAST resource class you define.

To activate external security you must ALLOW access to the one of the access levels .PASS definitions described below and DENY access to the equivalent level .FAIL definition for the userID that brings up the Datacom started task. To deactivate external security, reverse this by DENYing access to the .PASS definition and ALLOWing access to the .FAIL definition.

When Datacom is brought up (or Multi-User is enabled), there is an internal call made to the external security product to determine:

  1. Whether external security is in effect.

  2. The security access level which is defined in the external security product.

    Currently there are 5 levels of security definitions available. Use one of the following resource definitions with the DTSYSTEM resource class: To activate one of these levels, allow access to the PASS definition to the userID that brings up Datacom, and deny access to the FAIL definition. To deactivate, deny access to the PASS definition and allow access to the FAIL definition.

    CA recommends that you define the highest level available which allows the most flexibility. Table Resource Classes are described in the next series of Knowledge Documents. For CA Datacom r11 and forward, there are 10 Table Resource Classes available.

    ACTIVATE.LEVEL05.PASS        10 Table Resource Classes and DataQuery security.ACTIVATE.LEVEL05.FAIL 
    ACTIVATE.LEVEL04.PASS 10 Table Resource Classes and view security. ACTIVATE.LEVEL04.FAIL
    ACTIVATE.LEVEL03.PASS 10 Table Resource Classes and expanded path security. ACTIVATE.LEVEL03.FAIL
    ACTIVATE.LEVEL02.PASS DTTABLE and DXTABLE Table Resource Classes for record-at-a-time and SQL access. ACTIVATE.LEVEL02.FAIL
    ACTIVATE.LEVEL01.PASS DTTABLE Table Resource Class only for record-at-a-time access. ACTIVATE.LEVEL01.FAIL

Because this level of security turns on external security, ensure that all the access definitions are defined before you turn on external security.

After all resources have been defined and all permissions have either been allowed or denied to these resources, you can confirm that external security is activated by looking for the following Datacom message in your Datacom JESLOG or LISTLOG: DB00220I External Security is active...

Environment

Release:
Component: DB